Lots of sites nowadays offer the option to log in via Google, Facebook, LinkedIn and so on, and sometimes a standard username/password option as well.
While this goes a long way toward helping users ...

I came across a number of login configuration settings where there is a list of allowable special characters and was wondering:
Does this limitation cater for a specific security or usability need?
...

This question is geared for a line of business application someone would pay for, not a general public facing website.
Is it better to redirect for authentication/re-authentication or show a pop-up?
...

What I am trying to avoid here is brute force attacks on a user's password. And I am thinking about doing that by invalidating his password when too many attempts are made in the same minute, hour, ...